Storage & Security
Storage & Security
Is customer data encrypted at rest?
Yes.
Which encryption algorithm is used to encrypt customer data at rest?
AES-256
Is customer data encrypted in transit?
Yes.
Protocols used to encrypt customer data in transit:
TLS 1.2.
Is industry-accepted encryption utilized at all times for communication between infrastructure components via public networks? (e.g., Internet-based replication of data from one environment to another)?
Yes.
Access control
Select the access control model(s) in use: discretionary access control (dac), Mandatory Access Control (MAC), Role Based Access Control (RBAC), Attribute Based Access Control (ABAC), Other.
RBAC.
Which groups of staff (individual contractors and full-time) have access to personal and sensitive data shared with you by customers?
Full-Time.
Is multi-factor authentication (MFA) required for employees/contractors to log in to production systems?
Yes.
Is multi factor authentication enforced for all accounts?
Multi factor authentication is available for all accounts, but is only an enforced requirement for admin level accounts.
Do you manage and store the identity of all personnel who have access to the IT infrastructure, including their level of access?
Yes.
When a change in status occurs for an employee, contractor, customer, business partner or interested third party, is access to company systems, data and information assets adjusted (deprovisioned, revoked or modified) appropriately and in a timely manner?
Yes.
Data Retention
Do you keep sensitive data (as defined by your data classification matrix) in hard copy (e.g. paper copies)?
No.
Do you support secure deletion (e.g. degaussing/cryptographic wiping) of soft-copy data (including archived or backed-up data)?
No.
How long is personal data retained for?
2 Years.
Passwords
Do you have an internal password policy?
Yes.
Do you have complexity or length requirements for passwords?
Yes.
What are your password requirements?
- Minimum of 8 characters
- At least 1 uppercase character
- At least 1 number
Are passwords hashed?
Yes.
What hashing algorithm is used to protect passwords:
Bcrypt.
Are passwords salted?
Yes.
Are authentication credentials (password, API token, etc.) protected in transit with strong cryptography for both public and private networks?
Yes.
Is the password policy consistent with NIST SP800-63b?
No. The NIST SP800-63b requires passwords be screened against a blacklist, preventing certain passwords from being used. We do not do this.
Privacy/GDPR
List of Sub-Processors
Amazon (AWS), Twilio, SendGrid, PayPal, Remove.bg, Three Commas.
Please list the countries where sub-processors will process data.
All data is processed in the USA, except for images that have their background removed using Remove.bg, whose servers are in the Netherlands.
Do you protect data with the appropriate controls based on its data classification?
No, all data has the same level of security.
For the provision of services, do you process EU citizens’ personal data?
Yes.
Do you permit the use of shared accounts?
Yes.
Are controls in place to only allow authorized personnel to access your application, program, or object source code?
Yes.
For the provision of services, do you process EU citizens’ personal data?
Yes.
Are you GDPR compliant?
Yes.
GDPR compliance information.
https://www.clearchoicephotobooth.com/gdpr
Do you permit the use of shared accounts?
Yes.
Employees
Are all employees required to sign an NDA preventing them from disclosing any client or company data?
Yes.
Data Storage
Is the data backed up regularly?
Yes.
Are the backup solutions tested regularly?
Yes.
Does the platform use a Single-Tenancy or Multi-Tenancy model?
Multi-Tenancy. All accounts use the same environment and database.
Does the platform have controls to segment networks or data storage from other companies?
No. Refer to the previous question.
Server Location
AWS does not disclose that information due to security risks, we only know the region/country of the service.
North Virginia, USA
Logging
Logging
What kind of data is logged?
Our servers log network-level data only. No application-level data is logged by our servers. The iOS application logs application events local to the iOS device. The iOS application provides a method for the user to upload the logs to our server for diagnostic purposes. This is the only time these logs are ever sent to our server.
How long are the logs retained for?
Server logs are retained for 15 days. Logs saved by the iOS application have a disk quota, where old logs are deleted once the disk quota has been reached. When the logs are uploaded from the iOS application to our server, they are retained by the server for 7 days.
Security Threats
We use AWS to host our infrastructure. AWS provides network and application monitoring, including threat detection. Refer to this web page for more information. We also perform regular penetration testing on our infrastructure.
Physical Security
We use AWS to host our infrastructure. Please refer to this web page for physical security details.